Solved

User's My Documents folder Redirection and Administrator Access

Posted on 2009-03-31
8
606 Views
Last Modified: 2012-05-06
I need to move our user folders in a Win2k3 domain over to a new file server.  It looks as if the GPO to setup folder redirection at one point must have had the Grant user exclusive rights option either enabled or not configured, as I am runing into hundreds of folders that I cannot access as the users are the only ones that have access to them.  The GPO is not set that way now, but the folder permissions apparently do not get updated.  I can go in individually to these folders, take ownership, and then reset the permissions to gain access to them.  Does anyone know of a scripted way, or something, to do this across the board, without messing up the permissions as they are now??
0
Comment
Question by:jvincent9
  • 4
  • 4
8 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028241
You can change the owner for the top level folder (i.e. the shared folder), and check 'Replace owner on subcontainers and objects'. This will make you then owner of all sub-objects.
Once you have given yourself ownership, you can then grant yourself the required permissions to the top folder, also checking the 'Replace permissions entries on all child objects...' checkbox.
You'll then have permissions to move/edit all the sub folders of the main shared folder. Failing this you could script it, but this should work I think.
0
 

Author Comment

by:jvincent9
ID: 24028735
I have looked into that route...  From what I have seen doing a folder at a time thus far, when I take ownership of the top level folder (the users folder in this case, to get ownership of their My Documents subfolder), it wants to grant the owner exlusive rights to the My Documents folder because I currently don't have access to it...  This will blow the users permissions away, and then I need to go back up to the level of the user's folder, and re-apply the permissions down so they get access back to their My Documents folder...  Is that making sense?
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24028830
Changing yourself to the owner won't affect the user's permissions - this just allows you to then edit the permissions. You can then add yourself in to the ACL with the required permissions, still leaving the user's permissions intact.
If you do this on the root folder (the one that is shared - you'll need to log on the server to do this locally or via RDP), change owner/apply the permissions to all sub-objects as described above - you should be in business.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:jvincent9
ID: 24030817
here is what I mean...  Admin group is already the owner of each user folder.  We have a My Documents folder under each of those that is the redirected user folder that we don't have permissions to...  See screenshot attachment.  When trying to filter the ownership down to the subfolders, I am presented with this.  If I say Yes, it replaces all permissions, and just adds the admin group with full control, removing the user's permissions.  I can then go back up to the user root folder, and push the permissions back down, and that is OK...  But I'm dealing with possibly a few thousand user folders that are affected this way...
owner.jpg
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24031527
OK, how about running a backup job to make a copy of the folders. Schedule an NTBackup job to back the folders up using the context of a user you have placed in the 'Backup Operators' local group on the file server.
You can then restore to the new server - worth testing on a handful first.
Either that, or you could apply the permissions under the SYSTEM context, scripting the use of cacls during a startup script would do it, be this seems a bit convoluted. I'd try the backup.
0
 

Author Comment

by:jvincent9
ID: 24031988
any idea on how to run a script under the system context?  I might actually give that a try first based on the amount of data that I would need to restore from a backup...  I already have some cacls.exe scripts that I could tweak if I could just run them as a user that can modify the folder/file ACLs.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 500 total points
ID: 24037550
You can open a cmd window in the SYSTEM context using the following method. It's not the best but it works. You have to run this locally on the machine, not from an RDP session as the cmd window will only open on the console session:
From the command prompt, type:
sc create testsvc binpath= "cmd /K start" type= own type= interact
..this creates a service called 'testsvc' which opens the command prompt in the SYSTEM context. To start the service:
sc start testsvc
...you'll get an error message saying that the service failed to start in a timely fashion, but a cmd window will pop up. A quick check in Task manager will show the process as running under the SYSTEM context. You can then launch this service each time you need to do this.
Try and runn cacls in this cmd window...
0
 

Author Closing Comment

by:jvincent9
ID: 31564782
Coolest solution ever!  Thanks bluntTony!  Within the cmd running as System I am able to inject the administrators group to the ACL of all user folders now.  Awesome solution!!!  Thanks again!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question